Bug bounty platform HackerOne raises $25M

HackerOne solicits hackers to find vulnerabilities in company systems for a paid reward

(Updated with comment from HackerOne)

Cybersecurity has always been a concern, even for the average person, but in the last few years it has exploded, as we went from simply having to worry about viruses and malware to full blown attacks. And nobody is safe, not even big movie studios or the United States government.

HackerOne has a solution:  it wants to put hackers to good use. The company offers a bug bountry program, where companies will pay to have hackers go into their system and see where they are vulnerable. Because the truth is that hackers know the systems better than anyone. And they might be our best hope for stopping bad actors.

The idea seems to be resonating, as HackerOne revealed a new $25 million funding round on Wednesday.

The round was led by New Enterprise Associates, and included participation from existing investors, including Benchmark, as well as numerous angel investors including Salesforce Chairman and CEO Marc Benioff, Digital Sky Technologies Founder Yuri Milner, Dropbox CEO and Co-Founder Drew Houston, Yelp CEO and Co-Founder Jeremy Stoppelman, Zenefits COO David Sacks, Riot Games CEO and Co-Founder Brandon Beck, and Berggruen Holdings Chairman Nicolas Berggruen, among others.

HackerOne had previously raised a $9 million round in May of last year. This new round brings its total raised to $34 million.

Founded in 2012, HackerOne uses the hacker community to help companies, both public and private, make sure that they are not vulnerable to cyber attacks. The platform is free; Hackers are offered rewards to the hackers for finding the holes, through a payment system set up by the company. And HackerOne then takes 20% of whatever it paid out.

It is left up to the companies to decide what they want to pay out as a reward.

"HackerOne offers guidance to our customers based off of our extensive experience running these programs ourselves, but ultimately we leave the decision up to them," Alex Rice, Co-founder and CTO of HackerOne, told me.

HackerOne's customers, in turn, not only make sure that they are no longer in danger, but they also get HackerOne Analytics, which allows them to monitor team stats in real-time. Companies can share reports with team members and use past data to forecast future response team needs.

 In addition to the funding round, it was also announced that Jon Sakoda, general partner at NEA, has joined the board of directors at HackerOne.

More than 250 organizations use the HackerOne platform, including Yahoo, Twitter, Adobe, Dropbox, LinkedIn, Square, Airbnb, Slack, Snapchat, Mail.ru, QIWI and Vimeo. In addition, HackerOne is the founding member of Internet Bug Bounty, a program for hackers to divulge bugs for the most important open source software that supports the Internet, including Ruby on Rails, OpenSSL and Flash.

The company says that, so far, it has found nearly 10,000 security holes, and paid over $3.19 million in bounties to more than 1,500 independent hackers to date. 

"All software has vulnerabilities. The traditional approach for solving security issues is to bring experts into your organization to help you find these security holes -- but you can’t hire everyone. We offer our customers a way to connect with talented hackers and a clear process for engaging this community. No matter how mature a company's security, this core process for efficiently receiving and resolving external vulnerability reports are fundamental."

 

"Traditional security technology solutions have failed us. Even mature organizations with huge security teams and resources are feeling this gap. Working with the hacker community has proven to be an effective way to quickly and continuously improve security," said Rice. "Every organization needs to have a way for hackers to report a vulnerability directly to the company and this process needs to be safe, transparent and rewarding for all parties involved."

The cybersecurity space

Cybersecurity has become a big issue because of some high profile attacks, including the one on Sony Pictures by North Korea last year.

Last year, the U.S. Department of Justice leveled charges against China for cyber espionage, marking the first time the U.S. ever leveled criminal charges against a foreign government for economic cyber spying.

This came after U.S. security firm Mandiant traced over 140 cyber attacks on U.S. and foreign businesses and organizations to a specific unit in China’s army known widely as the “Comment Crew” or the “Shanghai Group.” An assessment by the National Intelligence Estimate identified a pretty extensive range of sectors that have been impacted by China’s spying, including finance, IT, aerospace, automotive, and energy, among others. Some of the companies that have been hacked include Google—obviously—as well as drone manufacturers and the makers of nuclear weapons parts.

All of this activity caused President Obama to declare that, for the first time, the country would be leveling sanctions against foreign governments and criminals who engage in cyber attacks against this country.

What this has done is created a big surge in cybersecurity companies being funded by venture capital. In the last 5 years, $7.3 billion has been invested into 1208 private cybersecurity startups, according to CBInsights. 

In 2014, funding for cybersecurity startups broke the $2 billion barrier for the first time while deals grew to a total of 269.

Some of the companies that have raised the most funding in the space over the last couple of years have included Good Technology, which raised $80 million; Lookout, which raised a $150 million round; Okta, which rased a $27 million Series D funding round; Bit9, which raised $38.25 million; and Veracode, which raised a $40 million funding round.

(Image source: ai.arizona.edu)